On 07/12/2008 12:14:21 AM +0200, Christian Seiler <[EMAIL PROTECTED]> wrote: > Hi, > >> I compile my server binaries and never rely on pre-compiled versions; I >> _never_ imagined using Apache without suexec which IMHO is a complete >> nonsense and should be a default behavior. Finally I never imagined >> running any virtualhost with the Apache user. That way, running Apache >> compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe. > > What do you mean by not using the Apache user? I know there are several > MPMs back there that do what mpm_perchild should have done, but they > have (as far as I can tell) some major drawbacks themselves (for > example, at least one has to run the mod_ssl code as root which is > really bad should there be a buffer overflow).
I mean any CGI/FastCGI/executables of some kind must not run as the same user apache children run. This easy to do: just set the suexecusergroup directive inside the default virtualhost (or the first) with a different user as the User directive. I am not talking about static content which is harmless to run as the same user. > > And if you don't run your virtual hosts as a spearate user, even with > suexec there is a very small vulnerability window to grab the > authentication data. That's why I understand the Apache people for not > passing the Authorization header by default. There is not such a small window because suexec is setuid, thus AFAIK the environment is passed when the process memory footprint is already owned by root. Besides, that environment is only readable by the apache user, who in a correct suexec setup doesn't run any CGI directly (it only runs apache children). Obviously, that Apache user must be a dedicated user, and not a generic anonymous user which multiple applications are running under. (i.e. If your "nobody" user is only used by Apache processes, it's OK) Apache people set that compile flag off by default because suexec is by far not a "default" feature. There is so many Apache setups out there running everything with a single user, even some shared hosting providers. > >> It is then better to keep the default apache >> configuration safe by _not_ opening such security issues and applying >> the patch you proposed directly at the module level. > > Or to always pass the Authorization header at module level (which I also > proposed). CGI/FastCGI processes are not designed to parse HTTP headers, we should not pass them more headers. But if you mean always converting the Authorization header to its HTTP_ corresponding environment variable, I think it is safe to do so. Gabriel ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
